I have a small domain which contains several domain users. How can I set users to have administrator permissions ( for installing software) but limit them to accessing mass storage devices and dvd-rom? Also, I want to set limitations on accessing user and group management within Windows. I add their domain user to the administrators group on the local machines they can add new local users, which I want to block.

1 Answer
1

It's a bit hard to make out what you're asking, but you can't have it both ways. You can't have them as admins on the box, and yet still limit their access to other stuff. It's one or the other....

As a matter of caution, I would advise against having users as local admins on their workstations. Bad Things usually happen; usually involving you having to re-image the workstation because they installed some malware or another.

If you're in a domain, I can't rightly fathom why your users would need to add other users to the local machine. You do that kind of thing from ADUC, not the local machine. And if it's a small enough workplace, installing software that they need isn't too big of a deal. I would prefer that over the alternative myself.